Security Axioms  


  • Security and complexity are often inversely proportional.
  • Security and usability are often inversely proportional.
  • Security is an investment, not an expense.
  • "Good enough" security now, is better than "perfect" security …never.[1]
  • There is no such thing as “complete security” in a usable system.
  • A false sense of security is worse than a true sense of insecurity.
  • Your absolute security is only as strong as your weakest link.
  • Concentrate on known, probable threats.
  • Security is directly related to the education and ethics of your users.
  • Security is not a static end state, it is an interactive process.
  • There are few forces in the universe stronger than the desire of an individual to get his or her job accomplished.
  • Security is a people problem. Corollary: People cause security problems, they don’t just happen. (Submitted by Bret Watson.)
  • You only get to pick two: fast, secure, cheap. (Submitted by Brett Eldridge.)
  • Snyder’s Razor: In the absence of other factors, always use the most secure options available. (You are either serious about security, or you’re just fooling around.) (Dr. Joel Snyder) 
  • Security ultimately relies – and fails – on the degree to which you are thorough. People don’t like to be thorough. It gets in the way of being done. (Dave Piscitello) 
  • The cost of security is nothing compared to the cost of exploitation. Corollary: The cost of an education is nothing compared to the cost of ignorance. (Jim Coffman)  
  • “I give you integers: go forth and multiply! And then expect overflow more than 9 times out of 10.” (Alan Krassowski)
  • Build your security policy around the “pain point” of “acceptable loss.” You don’t want to lose anything, but what are you willing to lose? (Dan Klein)
  • The cost of your security mitigators and measures should be related to the value of what your are trying to protect. (Scott Pinzon)

False Dogma (aka "bogons")

  • Security through obscurity is wrong.
  • Security must (should) be 100%.
  • Don’t use security to fix social problems.
  • If you can’t trust your own employees, you have bigger problems than Internet threats. (Implication: What’s wrong with your company?)
  • We can always add security later. (Dave Piscitello) 
  • “We have special requirements. We don’t have resources for these security measures.” (That’s why we are 5-10 years behind the times.)

Have others to add? Send them to

[1] “Not everything worth doing is worth doing well,” Tom West, Data General, as reported in Peters, Tom, A Passion for Excellence, and “A good plan, violently executed right now is far better than a perfect plan executed next week,” General George S. Patton, IBID.